# Copyright 2020 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# go-toolset uses RH's Go fork which uses OpenSSL for FIPS-certified crypto
# if this is not desirable, pass -tags no_openssl to SPO build
# see https://access.redhat.com/documentation/en-us/red_hat_developer_tools/2018.4/html/using_go_toolset/chap-changes
# for more details

# hash below referred to latest
FROM registry.access.redhat.com/ubi8/go-toolset@sha256:258e9a3fb96c4cf4ed0a7947e26f47f1af0a548ecd5d22b3a029a41328a90409 AS build
USER root
WORKDIR /work

RUN dnf install -y \
  libseccomp-devel \
  libbpf

ADD . /work
RUN mkdir -p build

# Use latest golang
RUN ARCH=$(arch | sed 's|x86_64|amd64|g' | sed 's|aarch64|arm64|g') && \
    GO_VERSION=$(curl -sSfL https://go.dev/VERSION?m=text | head -n1) && \
    curl -sSfL https://go.dev/dl/${GO_VERSION}.linux-${ARCH}.tar.gz | \
    tar -xzf - -C /usr/local
ENV PATH="/usr/local/go/bin:$PATH"

ARG APPARMOR_ENABLED=0
ARG BPF_ENABLED=0

# OCP in FIPS mode doesn't like statically linked SPO
ARG STATIC_LINK=no

RUN make

# hash below referred to latest
FROM registry.access.redhat.com/ubi9/ubi-minimal@sha256:61d5ad475048c2e655cd46d0a55dfeaec182cc3faa6348cb85989a7c9e196483
ARG version
USER root

RUN microdnf install -y \
  libseccomp \
  libbpf

LABEL name="Security Profiles Operator" \
  version=$version \
  description="The Security Profiles Operator makes it easier for cluster admins to manage their seccomp, SELinux or AppArmor profiles and apply them to Kubernetes' workloads."

COPY --from=build /work/build/security-profiles-operator /usr/bin/
COPY --from=build /work/build/spoc /usr/bin/

ENTRYPOINT ["/usr/bin/security-profiles-operator"]

USER 65535:65535

# vim: ft=dockerfile
